View Full Version : Something called CMDServices not going away with Spybot
Been having popups and whatnot out the wazoo. I ran something called Bazooka and followed the instructions given, the URLs given are listed here:
http://www.kephyr.com/spywarescanner/library/e2give/index.phtml?source=app
http://www.kephyr.com/spywarescanner/library/exploit-getaflick.biz/index.phtml?source=app
http://www.kephyr.com/spywarescanner/library/exploit-beehappyy.biz/index.phtml?source=app
http://www.kephyr.com/spywarescanner/library/unknown.startup.125/index.phtml?source=app
http://www.kephyr.com/spywarescanner/library/webhancer/index.phtml?source=app
I never located about 95% of the files in the registry, but I ran Bazooka again recently and it didn't find anything, however I'm still getting lots of adware in the list with Spybot, and the CMDServices is still sticking around. I don't know if you need this info or not, but here's my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 6:55:42 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\sys01260521754-.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsn20.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\mljjk.dll (file missing)
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys01260521754-] C:\WINDOWS\sys01260521754-.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139166118578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Thanks a bajillion for any help you can give me.
pskelley
2006-05-03, 23:23
Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, follow these directions in the posted order.
1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsn20.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\mljjk.dll (file missing)
O4 - HKLM\..\Run: [sys01260521754-] C:\WINDOWS\sys01260521754-.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\sys01260521754-.exe >>> file
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
These two items in the Trusted Zone: *.media-motor.net and *.mmohsix.com are nasty and hard to remove. The * means they load early and they are hard to remove because of this. If they are still there in the next log, use HJT again on them in Safe Mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Restart the computer and post the ewido scan results, a new HJT log and your comments, anything you think will help. Let me know how the computer is running now.
Thanks...pskelley
Safer Networking Forums
Thanks a ton for the help, first of all.
When I ran HijackThis, I got an error message. Here's the copy and paste of that if it's helpful:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: iniwin32.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan
Also, when I rebooted, Ewido kept finding an infected file under win32, I think under WINDOWS, but when I would choose to clean it, it would pop right back up. So I chose none.
Here's the Ewido scan report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 6:16:56 PM, 5/4/2006
+ Report-Checksum: A1B6A8DF
+ Scan result:
[748] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[800] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[812] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[996] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1072] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1268] C:\WINDOWS\System32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1456] C:\WINDOWS\System32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1636] C:\WINDOWS\System32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1680] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1936] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[500] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[704] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1236] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1812] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[664] C:\WINDOWS\System32\iniwin32.dll -> Adware.E2give : Error during cleaning
[680] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1544] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1616] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[1800] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[2052] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[2832] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[2840] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[3972] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
C:\Documents and Settings\Benji\Local Settings\Temp\Temporary Internet Files\Content.IE5\VW6GW9JE\WinATS[1].cab/WinATS.dll -> Adware.Mirar : Error during cleaning
C:\WINDOWS\ac2_0009.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\WINDOWS\pi1_36.exe -> Downloader.Small.cqy : Cleaned with backup
C:\WINDOWS\pop06ap2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\system32\cloudsim.exe -> Logger.VB.eh : Cleaned with backup
C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
C:\WINDOWS\Temp\ASHeuristic\mmxp2passion_exe.vir -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__sys01260521754-.exe -> Adware.Enbrow : Cleaned with backup
::Report End
And here's the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:43:05 PM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Benji\Desktop\HijackThis(2).exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139166118578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
There were also several of the HijackThis files you told me to fix that were not there.
O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsn20.dll
O4 - HKLM\..\Run: [sys01260521754-] C:\WINDOWS\sys01260521754-.exe
O15 - Trusted Zone: *.media-motor.net
There may have been one more, but those are the only ones I recall not being in the log. I probably should have copied them down when I was looking for them.
Thanks again for your help. I'll do some surfing or whatever and see if I get any more popups or anything. If you need anything else, post it please.
Thanks again.
-Riafoo
pskelley
2006-05-05, 01:45
OK Riafoo, we have problems so we need to talk. For some reason? You started with HJT here: C:\HijackThis\HijackThis.exe
which was ok, and you moved it to here: C:\Documents and Settings\Benji\Desktop\HijackThis(2).exe??
which is not ok? We have other problems but we need to fix HJT. What I want you to do is make sure you only have on instance of HJT running on the computer. If you want to run here:
C:\Documents and Settings\Benji\Desktop\HijackThis(2).exe you must make a folder, call it HJT and move the HJT.exe and logs into that folder. Do this before you proceed.
Start > Control Panel > Add Remove programs and uninstall C:\Program Files\E2G <<< if it is there.
Now I want you to do this:
Open HJT and choose "Delete a file on reboot"
Copy and paste this: C:\WINDOWS\system32\iniwin32.dll into the box the says "File Name"
then click on OPEN. Then click YES to restart the computer. That file should be removed during the rebooting process.
Once the computer has rebooted, then Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(if they are there)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O20 - AppInit_DLLs: iniwin32.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Now restart the computer in Safe Mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Open ewido and run a complete system scan allowing it to remove anything it locates unless you know it is not bad. Save the scan report.
once ewido is finished, restart the computer back to Normal Mode and post the ewido scan results and a new HJT log. Include your comments.
Thanks
Alrighty, I'm not sure why I decided to have two different HJTs, but I'm back to using the first one in C:/HijackThis/Hijackthis.exe. I hope that doesn't cause more confusion. Sorry about that.
Here's the ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:15:32 PM, 5/4/2006
+ Report-Checksum: F1A29724
+ Scan result:
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup
[220] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[272] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[284] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[440] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[500] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[548] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
[820] C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
C:\WINDOWS\system32\iniwin32.dll -> Adware.E2give : Error during cleaning
::Report End
And here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:19:59 PM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139166118578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
I got that prompt from Ewido on reboot again with the file infected with the E2G mess, and it wouldn't clean. I also didn't find it in my Add/Remove files menu, it seems to be eluding me.
I also got the error again from HJT when I tried to fix those two files(both were there). Looking at the log, they seem to be back. Should I try going back into the registry and removing all the E2G stuff the way the Bazooka URL had me do?
Thanks for your continued help and sorry about the multiple HJTs I decided to put on my computer for only God knows why.
On another note, I don't seem to be getting any popups now. Before, I would be playing gaming only to tab out of whatever game and have anywhere from 8 to 9 IE popups. I played most of today and got none. Good news, at least.
-Riafoo
I just noticed that iniwin32.dll seems to still be there in the logs. It was under Open the Misc Tools section - "Delete a file on reboot" that I was supposed to remove it, correct? I'm just checking to be sure I did that right.
Thanks.
-Riafoo
pskelley
2006-05-05, 14:03
Hi Riafoo, Right you are, this one is being difficult, here is what they look like in the log and this is all we have left, you are clean otherwise:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O20 - AppInit_DLLs: iniwin32.dll <<< and of course we know this one is here: C:\WINDOWS\system32\iniwin32.dll
Here is what CastleCops says about it: http://castlecops.com/o20list-186.html and what it is: http://www.symantec.com/avcenter/venc/data/spyware.e2give.html
The BHO has had the file removed, so it is not working anymore and the .Dll is what is keeping us from removing the BHO I believe.
There is another member here at Safer with the same thing and I will let you look at the attempts to remove it. Remember that the infection they have is different and I am showing you this only so you can watch the attempts to remove what you are trying to remove also.
http://forums.spybot.info/showthread.php?p=23843#post23843
I talked with one expert and he said he always removes it like this:
usually I simply fix the O20 and delete the dll in safe mode
So we will try that first. Boot into safe mode, and then use HJT
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O20 - AppInit_DLLs: iniwin32.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Stay in safe mode and navigate to the file, right click on it and delete it:
C:\WINDOWS\system32\iniwin32.dll <<< file
Restart the computer and if it is gone, let me know so I can give you good closing information. If it is still there, then we must use Kilbox.
Open this link and read all information so you will know what you are doing. Download Killbox and there are three methonds of killing the file. Use them in order, and check to see if they are gone after each attempt.
http://forum.malwareremoval.com/viewtopic.php?t=320
You may have to use HJT to clean the two lines from the log after Killbox has killed the file. Once you no longer see the BHO and the 020 items in the log, post a last log for me.
I also got the error again from HJT when I tried to fix those two files(both were there). Looking at the log, they seem to be back. Should I try going back into the registry and removing all the E2G stuff the way the Bazooka URL had me do?
We may have to use the above methods, we also have the manual instructions from Symantec in the link above. Let's see what happens with the instructions I have posted.
Thanks...Phil
This thing is tenacious. I feel like I'm trying to push a mountain off the edge of the world(nobody told me the world was round).
None of the Killbox methods seems to be prying the file from my system. Here's another HJT log if you want it:
Logfile of HijackThis v1.99.1
Scan saved at 3:04:04 PM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139166118578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
When I tried to delete it manually, it was apparently in use. The first Killbox method simply said it wouldn't delete. The other two methods gave no indication whether or not they were successful, but I got the prompt from Ewido when I booted up again that E2G was still alive and kicking(probably angrily). I get the feeling my computer has been impregnated with the demon baby from hell. I just hope it doesn't give birth any time soon.
Should I resort to Symantec's manual removal tactics, or is there other things to try? And did you want another Ewido scan and log?
-Riafoo
pskelley
2006-05-05, 23:47
Hi Raifoo, I am working on this problem and trying to get additioonal information. You are aware that another member has the same problem here:
http://forums.spybot.info/showthread.php?p=23957#post23957
We have not tried the unregister the .dll yet, so let's try what shelf life posted here:
go to start >run > type in cmd a dos prompt should open in a new window. at the prompt type: regsvr32 /u iniwin32.dll (note space after 32 and /u) hit enter, then delete the e2g folder and the iniwin32.dll in system32 dir.
Let me know what happens.
Thanks...Phil
I'm getting a similar error as levskarcheto. It says:
iniwin32.ll was loaded, but the DllUnregisterServer entry point was not found.
This file can not be registered.
Seems to be verbatim what he is getting. It also wouldn't let me delete the E2G folder or iniwin32.dll.
-Riafoo
pskelley
2006-05-06, 12:20
Hello Riafoo, Please check for a private message. Since it obvious the Unlocker did not work here:
http://forums.spybot.info/showthread.php?p=24009#post24009
I would say to review the instructions in the Major Geeks link:
http://forums.majorgeeks.com/showthread.php?t=90586
and give that fix a try. Let us know how it works.
Thanks...Phil
Well, I did each step except the last one. When I ran HJT, I didn't see the two lines I've been trying to fix. Here's the avenger.txt, it's kinda of long:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\etnsbtsu
*******************
Script file located at: \??\C:\WINDOWS\hpbetaxp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\System32\askearth17.exe not found!
Deletion of file C:\WINDOWS\System32\askearth17.exe failed!
Could not process line:
C:\WINDOWS\System32\askearth17.exe
Status: 0xc0000034
File C:\WINDOWS\System32\ei.exe not found!
Deletion of file C:\WINDOWS\System32\ei.exe failed!
Could not process line:
C:\WINDOWS\System32\ei.exe
Status: 0xc0000034
File C:\WINDOWS\System32\filgmo.exe not found!
Deletion of file C:\WINDOWS\System32\filgmo.exe failed!
Could not process line:
C:\WINDOWS\System32\filgmo.exe
Status: 0xc0000034
File C:\WINDOWS\system32\iniwin32.dll deleted successfully.
File C:\WINDOWS\System32\pruttct.exe not found!
Deletion of file C:\WINDOWS\System32\pruttct.exe failed!
Could not process line:
C:\WINDOWS\System32\pruttct.exe
Status: 0xc0000034
File C:\WINDOWS\System32\prutpct.exe not found!
Deletion of file C:\WINDOWS\System32\prutpct.exe failed!
Could not process line:
C:\WINDOWS\System32\prutpct.exe
Status: 0xc0000034
File C:\WINDOWS\System32\prutsct.exe not found!
Deletion of file C:\WINDOWS\System32\prutsct.exe failed!
Could not process line:
C:\WINDOWS\System32\prutsct.exe
Status: 0xc0000034
File C:\WINDOWS\System32\ptech.exe not found!
Deletion of file C:\WINDOWS\System32\ptech.exe failed!
Could not process line:
C:\WINDOWS\System32\ptech.exe
Status: 0xc0000034
File C:\WINDOWS\System32\skytown.exe not found!
Deletion of file C:\WINDOWS\System32\skytown.exe failed!
Could not process line:
C:\WINDOWS\System32\skytown.exe
Status: 0xc0000034
File C:\Program Files\data19 not found!
Deletion of file C:\Program Files\data19 failed!
Could not process line:
C:\Program Files\data19
Status: 0xc0000034
File C:\WINDOWS\pi1.exe not found!
Deletion of file C:\WINDOWS\pi1.exe failed!
Could not process line:
C:\WINDOWS\pi1.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\askearth17.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\askearth17.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\askearth17.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\ei.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\ei.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\ei.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\filgmo.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\filgmo.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\filgmo.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\prutpct.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\prutpct.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\prutpct.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\prutsct.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\prutsct.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\prutsct.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\ptech.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\ptech.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\ptech.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Desktop\skytown.exe not found!
Deletion of file C:\Documents and Settings\Benji\Desktop\skytown.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Desktop\skytown.exe
Status: 0xc0000034
File C:\Documents and Settings\Benji\Local Settings\Temp\ei.exe not found!
Deletion of file C:\Documents and Settings\Benji\Local Settings\Temp\ei.exe failed!
Could not process line:
C:\Documents and Settings\Benji\Local Settings\Temp\ei.exe
Status: 0xc0000034
Folder C:\PROGRAM FILES\E2G deleted successfully.
Folder C:\PROGRAM FILES\Windows AdStatus not found!
Deletion of folder C:\PROGRAM FILES\Windows AdStatus failed!
Could not process line:
C:\PROGRAM FILES\Windows AdStatus
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\software\e2g deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6} deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
I looked around in there and saw that it deleted iniwin32.dll, which is so nice. Here's my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:08:03 AM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139166118578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Neither of those lines are there. But I ran spybot just now and it still told me it couldn't get rid of two items:
Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
and
Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Both were under the Command Service list.
-Riafoo
pskelley
2006-05-06, 17:44
Since this is the first time I have used the fix you ran, I will say that it looks like the fix is set up to remove anything that could be part of the infection. I see some items:
Example: File C:\WINDOWS\System32\ei.exe not found!
Deletion of file C:\WINDOWS\System32\ei.exe failed!
Of course if the item is not there, or was removed earlier, it could not be found, and if it could not be found, it surely could not be deleted:laugh:
Now we know about this one >>> File C:\WINDOWS\system32\iniwin32.dll deleted successfully. It was there and it was deleted!!
I think if we had run this fix, instead of the others we used, the log would have been much different.
Your HJT log is clean of malware, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Now as to the Command Service issue, if I have not mention this is a glitch in Spybot reporting, first make sure Spybot is totally up to date. If it is, then try these tools in the order I post them. Run Spybot after the first and the Command Service item should be gone. If not, then try the second tool.
Tool #1
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
Tool #2
Please download delcmdservice (by Marckie), http://users.telenet.be/marcvn/tools/delcmdservice.zip
and save it to your Desktop.
Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.
No need to post again unless you want to, safe surfing...Phil:bigthumb:
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Thank you pskelley